OAUTH and OATH - confusing?
Just read an excellent post about the difference between OAUTH and OPEN ID.
http://mashable.com/2008/07/28/openid-and-oauth/
The reason for this post is that I wanted to make sure that there is no confusion between OAUTH and another standard called OATH which broadly fits in the same space.
Here is my understanding of OAUTH with an example shamelessly taken from their web site to explain:
OAUTH is a way for you to move from one site to another site and grant temporary access to the second site so that you can access the resources from the second site from the first site. Here is a good real life example:
"When a user wants to print a photo stored on another site, the interaction goes something like this: the user signs into the printer website and place an order for prints. The printer website asks which photos to print and the user chooses the name of the site where her photos are stored (from the list of sites supported by the printer). The printer website sends the user to the photo site to grant access. At the photo site the user signs into her account and is asked if she really wants to share her photos with the printer. If she agrees, she is sent back to the printer site which can now access the photos. At no point did the user share her username and password with the printer site."
OATH on the other hand is a standard for sharing a second factor authentication token.
Imagine that you have 10 online relationships which are potentially interesting to a fraudster or contain sensitive personal information (such as Banking, Healthcare, Retail, Gaming, gambling, insurance etc.).
If each site provided you with a two factor authentication device (like a Vasco token or VIP Card) then you would need 10 tokens for your online relationships, obviously impractical and expensive at the consumer level.
OATH sets a standard where the consumer uses the same token across multiple sites.
The first factor of authentication (i.e. user name and password) would likely be different at each site and are not part of the OATH standards, and in fact hey guess what, this is where OPEN ID fits in.
A real live example of OATH working is the VeriSign VIP network (enough plugging already, if you want to read more go to the VeriSign Site).
My personal view on OPEN ID and OATH I have blogged before about, but here is a simple diagram explaining that relationship.
If I was to try and fit OAUTH into the diagram I guess it would kind of fit across both the SITE ID part and the 1st FACTOR part as it is establishing a standard where sites can ID themselves to each other and allow the consumer to use their first factor of authentication to enable the sites to share the resources.
Anyway, I see OAUTH and OATH and OPEN ID living side by side.
